[Intrusions] Assessing Your Malware Exposure with Snort

kenneth gf brown ken at shadowplay.net
Sat Feb 19 07:14:36 GMT 2005 


and without going to www.kgb.to 
(interesting domain) which doesn't match your 
email domain ... 

how do we know that kgb.to isnt evil... 

ah the paradox... 

kenneth gf brown 
ceo shadowplay.net


> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of 
> Cory.Bys at fbol.com
> Sent: February 15, 2005 10:39
> To: intrusions at lists.sans.org
> Subject: [Intrusions] Assessing Your Malware Exposure with Snort
> 
> 
> I have written a few thousand Snort rules that are intended 
> to detect successful HTTP communication with hosts known to 
> be evil. They look for domain names in the Host string so 
> they are not subject to evasion by changing IP addresses.
> 
> If you would like to give them a try you can grab them from 
> http://www.kgb.to/malware.html .
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> *******************    N O T I C E    *******************
> The information contained in this e-mail, and in any 
> accompanying documents, may constitute confidential and/or 
> legally privileged information.  The information is intended 
> only for use by the designated recipient.  If you are not the 
> intended recipient (or responsible for the delivery of the 
> message to the intended recipient), you are hereby notified 
> that any dissemination, distribution, copying, or other use 
> of, or taking of any action in reliance on this e-mail is 
> strictly prohibited.  If you have received this e-mail 
> communication in error, please notify the sender immediately 
> and delete the message from your system.
> ***************************************************
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org 
> http://www.dshield.org/mailman/listinfo/intrusions
> 
> 
> __________ NOD32 1.1002 (20050218) Information __________
> 
> This message was checked by NOD32 antivirus system. 
> http://www.nod32.com
> 
>

More information about the Intrusions mailing list